In previous version of OSX I was able to edit the /System/Library/LaunchDaemons/mDNSResponder.plist to add the -AlwaysAppendSearchDomains option but in El Capitan, writing to these directories is blocked. I temporarily disabled SPI and made the change and it worked great until the next update which wiped out the change. What is the proper way to handle this? I have tried putting it in /Library instead of /System/Library but no luck.
Thanks,
Dustin
You should be able set AlwaysAppendSearchDomains and NoMulticastAdvertisements in /Library/Preferences/com.apple.mDNSResponder.plist and reboot. For example:
sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist AlwaysAppendSearchDomains -bool YES
This seems to be new in OS X 10.11 (El Capitan).
-- Brian Wells
Actually, there is one thing you could try after making the required edit - but making a file immutable, even to the system, like this may have unintended side-effects so use these commands at your own risk:
Copy and paste the following lines in Terminal:
immutable=\/System/Library/LaunchDaemons/mDNSResponder.plistchmod -R +a "everyone deny delete,file_inherit" "$immutable"sudo chflags -R schg "$immutable"To return it to an overwritable state repeat with the third line as:
sudo chflags -R noschg "$immutable"Max.
Thanks for the detailed response, Max. I will give that a try. Seems odd they'd include the argument but give the user no way to edit it. Would love to be able to script this plist edit for our custom company wide configuration but I don't see an easier way to do than using something like csrutil, reboot, edit and add company edits (custom user template and launchdaemon arguments), and then csrutil back to enabled state. Will give your flag a try though
Edit: Flag seems to be going well so far and at least prevents ownership and file edits. Will check if it survives next time around. Thanks for the tip!
I'm all-but-certain it will work. Please report your findings as I'd be interested in the confirmation or otherwise.
The only way around SIP is to not boot directly into the El Capitan partition. You could maybe make a live USB install of OS X that makes the necessary changes (including the flag modification) to the host computer automatically when booted - It may not save you a huge amount of time though.
Yeah honestly with my experience with USB or netboot/netinstall options for mac I'll probably be avoiding that route... I think our current route of bash scripts on a clean mac install works best and is easy to run remotely over vnc or even ssh. I think your flag is the best solution to date for our LaunchDaemon edits but I wish apple would give some official option to throw these in /Library with our own launch options and have those be read by/instead of the system launch daemon plist. I don't see any way around having a person on site for a new configuration 😟
True, and if changes could be remotely made to SIP protected files then SIP would be next to pointless. There really is no way around having a person on site for that.
Have you tried:
sudo launchctl unload -w /System/Library/LaunchDaemons/mDNSResponder.plistCopy that file to /Library/LaunchDaemons/mDNSResponder.plist, modify it as you like, then make sure its ownership and permissions are correct (owned by root, not writable by anybody but owner). Then:
sudo launchctl load -w /Library/LaunchDaemons/mDNSResponder.plistIn other words, if you want to override the default, you have to tell launchd not to load it and to load yours instead.
Good idea, Ken. I have not tried that. Would you reccomend I do the launchctl commands via a startup item in /Library/StartupItems maybe? Like have a startup item that unloads the old, loads the new, then starts it if neccesary?
It shouldn't be necessary to do it on every boot. The -w option to the load and unload subcommands should make it permanent.
Ken, that method works brilliantly, thanks! Sadly the -w flag doesn't seem to be working as intended. I still need to manually run these two commands as root on each reboot but we're making progress 😝 It seems like startup items have changed in El Capitan as my old plist template no longer works. Could you point me in the right direction for the Apple sanctioned way to run code as root on startup? Here is my old /Library/StartupItems/ plist template I had been using:
{
Description = "mDNSResponder fix for Mac OS X";
OrderPreference = Last;
Requires = (
Network,
Disks
);
Uses = (
Network,
Disks
);
}I threw that into a folder labeled mDNSResponderFix and had the above code section in "StartupParameters.plist" and then a bash script (that I confirm works when run manually as root) named mDNSResponderFix. I chowned the directory recursively as root:wheel and chmodded to 755. Any additonal guidance would be much appreciated. Thanks!
You should be able set AlwaysAppendSearchDomains and NoMulticastAdvertisements in /Library/Preferences/com.apple.mDNSResponder.plist and reboot. For example:
sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist AlwaysAppendSearchDomains -bool YES
This seems to be new in OS X 10.11 (El Capitan).
-- Brian Wells
Brian, sorry for the delay in response. Thanks so much, this is exactly what I was looking for! No SPI changes required and it persists across boot perfectly.